Service processing switch

ABSTRACT

Methods and systems for providing IP services in an integrated fashion are provided. According to one embodiment, a system includes a switch fabric and a line interface/network module, multiple virtual routing engines (VREs) and a virtual services engine (VSE) coupled with the switch fabric. The line interface/network module receives packets, steers ingress packets to a selected VRE and transmits egress packets according to their relative priority. VREs determines if a packet associated with a packet flow requires processing by the VSE by performing flow-based packet classification on the packet and evaluating forwarding state information associated with previously stored flow learning results. The VSE includes a central processing unit configured to perform firewall processing, Uniform Resource Locator (URL) filtering and anti-virus processing. If the packet is determined to require processing by the VSE, then the packet is steered to the VSE for firewall, URL filtering and/or anti-virus processing.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.12/123,443, filed on May 19, 2008, now U.S. Pat. No. 7,720,053, which isa continuation of U.S. patent application Ser. No. 10/163,260, filedJun. 4, 2002, now U.S. Pat. No. 7,376,125 issued May 20, 2008, both ofwhich are hereby incorporated by reference in their entirety for allpurposes.

This application is related to U.S. patent application Ser. No.10/163,162, entitled “System and Method for Hierarchical Metering in aVirtual Router Based Network Switch,” filed Jun. 4, 2002, now U.S. Pat.No. 7,161,904, to U.S. patent application Ser. No. 10/163,261 entitled“Network Packet Steering,” filed Jun. 4, 2002, now U.S. Pat. No.7,203,192, to U.S. patent application Ser. No. 10/163,073 entitled“Methods and Systems for a Distributed Provider Edge,” filed Jun. 4,2002, now U.S. Pat. No. 7,116,665, to U.S. patent application Ser. No.10/163,071 entitled “System and Method for Controlling Routing in aVirtual Router System,” filed Jun. 4, 2002, now U.S. Pat. No. 7,340,535,and to U.S. patent application Ser. No. 10/163,079 entitled “System andMethod for Routing Traffic through a Virtual Router-Based NetworkSwitch”, filed Jun. 4, 2002, now U.S. Pat. No. 7,177,311, all of whichare hereby incorporated by reference in their entirety for all purposes.

COPYRIGHT NOTICE

Contained herein is material that is subject to copyright protection.The copyright owner has no objection to the facsimile reproduction ofthe patent disclosure by any person as it appears in the Patent andTrademark Office patent files or records, but otherwise reserves allrights to the copyright whatsoever. Copyright© 2002-2010, Fortinet, Inc.

BACKGROUND

1. Field

Embodiments of the present invention generally relate to packetswitching, and more particularly to a system and method for providing IPservices in an integrated fashion.

2. Description of the Related Art

Internet or WAN service providers (SPs) operate in a crowded marketplacewhere cost effectiveness is critical. Cost control is, however,difficult. At present internetwork bandwidth is a commodity item withextremely tight margins. If the SP wishes to provide additionalvalue-added services such as firewalls, the SP must install andconfigure expensive Customer Premises Equipment (CPE) at subscriberlocations. Problems that arise often require a trip by a servicetechnician to the subscriber's location. It can be difficult to add newservices.

This model of value-added service delivery creates an expensive up-frontcapital investment, as well as significant operational expenses that areassociated with onsite installation and management of thousands ofdistributed devices. The results are service delivery delays, increasedcustomer start-up costs and/or thinner service provider margins.

Service providers need a way of escape from commoditized bandwidthofferings and from traditional equipment-intensive service deliveryarchitectures that drain profits.

SUMMARY

Methods and systems are described for providing IP services in anintegrated fashion. According to one embodiment, a system includes aswitch fabric and a line interface/network module, multiple virtualrouting engines (VREs) and a virtual services engine (VSE) all coupledwith the switch fabric. The line interface/network module receivespackets, steers ingress packets across the switch fabric to a selectedVRE and transmits egress packets according to their relative priority.The selected VRE determines if a packet associated with a packet flowrequires processing by the VSE by performing flow-based packetclassification on the packet and evaluating forwarding state informationassociated with previously stored flow learning results based on apreviously received packet of the packet flow. The VSE includes at leastone central processing unit configured to perform firewall processing,Uniform Resource Locator (URL) filtering and anti-virus processing. Ifthe packet is determined to require processing by the VSE, then thepacket is steered across the switch fabric to the VSE for one or more ofthe firewall processing, the URL filtering and the anti-virusprocessing.

Other features of embodiments of the present invention will be apparentfrom the accompanying drawings and from the detailed description thatfollows.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the present invention are illustrated by way of example,and not by way of limitation, in the figures of the accompanyingdrawings and in which like reference numerals refer to similar elementsand in which:

FIG. 1 is a block diagram of a service processing switch according toone embodiment of the present invention.

FIG. 2 conceptually illustrates an example of an IP Service DeliveryPlatform according to one embodiment of the present invention.

FIG. 3 illustrates the architecture of an IP Service Generator (IPSG)according to one embodiment of the present invention.

FIG. 4 illustrates an exemplary master architecture of an IP ServiceGenerator (IPSG) according to one embodiment of the present invention.

FIG. 5 is a block diagram of a flow manager according to one embodimentof the present invention.

FIG. 6 is a table illustrating various packet types and correspondinggroups, DiffServ classes, ATM classes and queues according to oneembodiment of the present invention.

FIG. 7 is a table illustrating various connectivity options andcorresponding form factors, total queues and total memory according toone embodiment of the present invention.

FIG. 8 is a block diagram of a Virtual Routing Engine (VRE) according toone embodiment of the present invention.

FIG. 9 is a block diagram of an Advanced Security Engine (ASE) accordingto one embodiment of the present invention.

FIG. 10 is a table illustrating layers of the OSI model and roughlycorresponding objects of the IPNOS model.

FIG. 11 conceptually illustrates frame processing by an IP ServiceGenerator (IPSG) according to one embodiment of the present invention.

DETAILED DESCRIPTION

Methods and systems are described for providing IP services in anintegrated fashion. In the following detailed description of exemplaryembodiments of the invention, reference is made to the accompanyingdrawings which form a part hereof, and in which is shown by way ofillustration specific exemplary embodiments in which the invention maybe practiced. These embodiments are described in sufficient detail toenable those skilled in the art to practice the invention, and it is tobe understood that other embodiments may be utilized and that logical,mechanical, electrical and other changes may be made without departingfrom the scope of the present invention.

Some portions of the detailed descriptions which follow are presented interms of algorithms and symbolic representations of operations on databits within a computer memory. These algorithmic descriptions andrepresentations are the ways used by those skilled in the dataprocessing arts to most effectively convey the substance of their workto others skilled in the art. An algorithm is here, and generally,conceived to be a self-consistent sequence of steps leading to a desiredresult. The steps are those requiring physical manipulations of physicalquantities. Usually, though not necessarily, these quantities take theform of electrical or magnetic signals capable of being stored,transferred, combined, compared, and otherwise manipulated. It hasproven convenient at times, principally for reasons of common usage, torefer to these signals as bits, values, elements, symbols, characters,terms, numbers, or the like. It should be borne in mind, however, thatall of these and similar terms are to be associated with the appropriatephysical quantities and are merely convenient labels applied to thesequantities. Unless specifically stated otherwise as apparent from thefollowing discussions, terms such as “processing” or “computing” or“calculating” or “determining” or “displaying” or the like, refer to theaction and processes of a computer system, or similar computing device,that manipulates and transforms data represented as physical (e.g.,electronic) quantities within the computer system's registers andmemories into other data similarly represented as physical quantitieswithin the computer system memories or registers or other suchinformation storage, transmission or display devices.

In the Figures, the same reference number is used throughout to refer toan identical component which appears in multiple Figures. Signals andconnections may be referred to by the same reference number or label,and the actual meaning will be clear from its use in the context of thedescription.

The following detailed description is, therefore, not to be taken in alimiting sense, and the scope of the present invention is defined onlyby the appended claims.

Operating Environment

As noted above, traditional models of value-added service deliverycreate an expensive up-front capital investment, as well as significantoperational expenses that are associated with onsite installation andmanagement of thousands of distributed devices. The results are servicedelivery delays, increased customer start-up costs and/or thinnerservice provider margins.

A system 2 for providing such services in a more cost-effective way isshown in FIG. 1. Instead of requiring an array of CPE at subscriberlocations in order to deploy IP services, system 2 includes one or moreservice processing switches 10 which enable a service provider toseamlessly infuse into and deliver from their network value-added IPservices that can be bundled with subscribers' access services. In theembodiment shown, each switch 10 resides in the SP's Point of Presence(POP) 12. In one embodiment, switch 10 is installed at the edge of thecore 14 and communicates with core routers within core 14. In one suchembodiment the connection through switch 10 to each core router isenabled through a Service Provider Virtual Router (VR), which will bedescribed below. In some such embodiments, switch 10 will function as anMPLS Label Edger Router (LER) establishing Label Switched Paths (LSPs)running through routers such as a Juniper M40 or a Cisco 12000.

An example of an IP Service Delivery Platform 2 based on switch 10 isshown in FIG. 2. By deploying the IP Service Delivery Platform 2 of FIG.2, SPs can overlay value-added services directly onto access offerings.

In one embodiment, switch 10 is a 26-slot, carrier-class solution thatmarries switching, routing, and computing resources with an openoperating system, IPNOS. In one such embodiment, switch 10 leverages thearchitecture described in U.S. patent application Ser. No. 09/661,130,filed Sep. 13, 2000 through the use of new IP Service Generators (IPSGs)(see FIG. 3). This combination is a powerful solution that gives SPs theindustry's only multi-gigabit rate solution for delivering value-addedIP services over basic transport to enterprise subscribers.Additionally, the solution delivers the processing power required toscale value-added IP services to the speed of light, consolidatesnetwork equipment and reduces operational resources required for IPservice delivery, enables user-level services customization andaccounting without performance degradation and offers investmentprotection through a service processing migration path.

Service Providers can install up to 12 dual-slot IPSGs 20 in switch 10of FIG. 3, choosing from a variety of interfaces: Gigabit, Ethernet,DS3/E3, POS and ATM. In addition, by using hardware-based routing andcomputing techniques such as parallel processing and pipelining, such anapproach produces the highest aggregate IP services. In one suchembodiment, each IPSG 20 scales to support tens of thousands ofsubscriber sites and a million unique ACL-based service definitions). Aswitch 10 fully loaded with IPSGs can scale application services acrosshundreds of thousands of enterprise network sites.

In one embodiment, each IPSG 20 is a self-contained subsystem with anadvanced service processing architecture for delivering network-based IPservices such as Virtual Private Networks (VPNs) and Managed Firewall atmulti-gigabit per second rates (OC-48). The IPSG has been designed tomatch the capacity of Service Providers' edge transport build-outs sothey can bundle value-added services seamlessly with their high-speedaccess services. In one embodiment, each IPSG 20 occupies two Universalslots when installed in a Service Processing Switch 10.

As noted above, the IPSG architecture produces the highest aggregate IPservices processing rate in the industry by marrying hardware-basednetwork processor capabilities with high-end computing techniques likeparallel processing and pipelining. In one embodiment, an IPSG 20optimizes performance through three application-tailored engines: aVirtual Routing Engine (VRE), a Virtual Services Engine (VSE), and anAdvanced Security Engine (ASE).

The VRE enables packet classification, deep packet inspection andservice customization for up to a million Access Control List(ACL)-level flows. The VSE performs parallel processing and pipelining,two high-end computing techniques that optimize network-basedperformance for third-party solutions such as Check Point FireWall-1 andMcAfee anti-virus. The ASE rapidly accelerates encryption processing forEPSec site-to-site and dial VPNs through the use of specializedencryption hardware.

In one embodiment, each IPSG 20 is based on the same master architecture(see FIG. 4). In the example shown in FIG. 4, the architecture iscentered on a 51.2 Gbps, 8-port, fully meshed, non-blocking ServiceGenerator Fabric 22. By intelligently partitioning out the processingelements and having them all communicate via the same high performancefabric 22, a modular and scalable services delivery architecture ispossible. As a result, a varying number of processingelements—specifically, VREs, VSEs and ASEs—can be combined andpre-integrated with the Service Generator Fabric 22, LineInterface/Network Modules 24 and the Midplane Interface 25 into a familyof IPSGs 20. Each IPSG 20 offers the optimum mix of scalable services,internetworking functions and performance for service providers fromregional SPs all the way up to global carriers. By deploying additionalIPSGs 20 in a single chassis, the services and performance of switch 10can scale for an extremely long and profitable investment.

Although the processing requirements for network access and trunkenvironments have many aspects in common, such as network media, packetclassification, virtual routing and packet forwarding, they do havesignificant differences in terms of scalability, depth of packetprocessing, computing power requirements and network interfacebandwidth. Again, by intelligently partitioning out the processingelements into application-tailored engines such as the VRE, VSE and ASE,and by distributing functions across them, the services and functionalrequirements of both trunk and access environments are unified in thesame architecture.

In one embodiment, each IPSG 20 employs pipelining across and within allits elements—Line Interface/Network Module 24, Service Generator Fabric22, the Midplane Interface 25, VRE, VSE and ASE. Packet processingfunctions in Layers 3-7 are notoriously computation and memoryintensive. Switch 10 takes advantage of the fact that Layer 3 packetfunctions, and in particular IP forwarding, are repetitive and can beperformed in dedicated hardware. The CPUs in each VRE, VSE and ASE arecoupled with specialized hardware that serve to offload from the CPUsthe processing of basic network functions such as routing and packetforwarding. This leaves more MIPS and memory bandwidth that can bededicated to upper layer packet processing such as firewall, URLfiltering, anti-virus, etc.

As is shown in FIG. 4, in one embodiment, each VRE includes a virtualrouting processor 30, a virtual service controller 32, a CPU 34 andmemory 36. Each VSE includes a virtual service controller 32, two CPUs34 and memory 36. Each ASE includes a security manager 38 and securityhardware 40 used to accelerate security services such as encryption orkey generation. In one embodiment, CPU 34 is a IBM PowerPC 750CX andsecurity hardware 40 includes the Hi/fn 7851 (an encryption acceleratorchipset supporting 500 Mbps of IPSec forwarding and hardware-basedcompression) and the Hi/Fn 6500 (a key accelerator enablinghardware-assisted Internet Key Exchange (IKE) negotiations and publickey generation.

In one embodiment, a flow manager 42 residing on Line Interface/NetworkModule 24 and Midplane Interface 25 load balances service requests tothe optimal VSE and VRE and supports robust priority/Weighted RoundRobin (WRR) queuing capabilities. Virtual Routing Processor 30 provideshardware-assist capabilities for IP forwarding, MultiProtocol LabelSwitching (MPLS), Network Address Translation (NAT), DifferentiatedServices (DiffServ), statistics gathering, metering and marking. VirtualService Controller 32 supports parallel processing and pipelining foroptimum deep packet inspection and for third-party applicationcomputing. Security Manager 38 load balances and monitors IPSec sessionsacross a pool of four Hi/fn 7851 encryption chips for the highestcapacity VPN processing possible.

In one embodiment, in order to achieve gigabit wire-speed packet datatransfers from a physical port through the system and back out toanother physical port and vice versa, all the system elements along thepacket datapath throughout IPSG 20 are designed as full-duplex,high-bandwidth streaming interfaces. There is no packet data pathbottleneck such as PCI or other peripheral IO interfaces. Using afull-duplex datapath of 32 bits and a minimum interface clock speed at100 MHz, there is ample bandwidth headroom designed in to scale packetthroughput to OC-48/STM-16 (2.4 Gbps) in each direction throughout theIPSG. Ample buffer size and the use of single-stage buffering techniquesalong the packet datapaths help absorb burstiness in IP traffic, as wellas keeping a low packet loss ratio.

In one embodiment, flow manager 26 provides the following functions:wire-speed Layer 2 packet classification, wire-speed ingress packet flowdirection, wire-speed egress priority queue-based congestion avoidanceand bandwidth control and 50 ms intra-blade Automatic Protect Switching(APS) support for POS and ATM interfaces.

In one such embodiment, as is shown in FIG. 5, Flow Manager 26 consistsof two parts: an ingress flow director 50 and an egress flow controller54.

Layer 2 and 3 packet header parsing and error checking is performed onthe fly as the packet enters Flow Manager 26 from the physical port.Layer 2 parsing supports PPP (RFC 1619, 1662), MLPPP (RFC 1990), CiscoHDLC, MultiProtocol over Frame Relay (RFC 2427), PPPoE (RFC 2516),Ethernet, VLAN, and MultiProtocol over ATM (RFC 2684).

Layer 3 parsing supports IP header definition (RFC 1812) and MPLS (IETFlabel standard). The result of this function is to ensure the packet isfree of link layer and IP/MPLS header errors, to offset into the packetwhere the Layer 3 header begins and to determine what the Layer 3protocol is (IP/MPLS/IS-IS). All this information is written into asystem control header that Flow Manager 26 later uses to encapsulate theoriginal packet.

Using a wire-speed table lookup mechanism, an ingress flow directorwithin flow manager 26 assists traffic distribution by directing eachincoming packet to one of several destination engines. The ingress flowdirector parses the Layer 2 header of each packet and extractsinformation to address a programmable SRAM-based lookup table 52. Theextracted information is the packet's logical interface, which isassociated with a Virtual Router (VR) in the Service Generator thatcontains the destination engine ID.

Using the lookup table result, Flow Manager 26 constructs an internalcontrol header and prepends it to the incoming packet and sends thepacket to Service Generator Fabric 22. Service Generator Fabric 22 looksat the destination field of the control header and determines to whichof its client engines the packet should be sent. Software is responsiblefor initializing and updating the lookup table. Software getsinformation about the load of each engine by monitoring its internalstates and packet statistics collected by the hardware circuits acrossengines. Programming an entry in the table is in the form of softwarewriting an in-band high priority Programmed IO (PIO) message from anengine through Service Generator Fabric 22 into Flow Manager 26.

In one embodiment, hardware-assisted QoS mechanisms are distributedthroughout the entire IPSG 20. In one such embodiment, egress flowcontroller 54 is responsible for priority queuing with congestioncontrol using the WRED algorithm, as well as custom queue-basedscheduling using a four-priority WRR algorithm. There are four differentPriority Groups, each with absolute priority over subsequent groups(i.e., groups with a higher number). Group 4 has five queues and WRR isperformed among those five queues to determine which queue is servicedwhen Group 4 is serviced. For the last four queues of Group 4, theweight per queue is a customer-configurable parameter.

The IPSG supports three levels of QoS: EF, AF and BE. EF providespremium-expedited service with low jitter and low delay. There are twotypes EF traffic: EF guaranteed and EF regular. EF guaranteed can beused by high priority traffic such as system network control andIP-based voice services. EF regular is lower priority than EFguaranteed, though still higher priority than all AF and BE traffic. AFtraffic is higher priority than BE. Within AF, there are foursubclasses: AF1, AF2, AF3 and AF4. These subclasses and BE aredifferentiated by weighted scheduling factors. A representative defaultpriority queue QoS mapping is shown in FIG. 6.

In one embodiment, there are two different types of Lineinterface/Network Modules in the IPSG: those with fixed-sized queues andthose with variable-sized queues. Fixed-sized queue LineInterface/Network Modules have a total of eight queues with 256 KB perqueue, all the queues sharing a 2 MB shadow memory SRAM. The queues areshared across all the ports of the interface.

The variable-sized queue Line Interface/Network Modules introduce theconcept of linking buffers together to dynamically allocate differentsized queues. There are up to 8,000 channels per interface (the numberof channels will change depending on the interface selected). Each ofthese channels has eight priority levels that are mapped to eightseparate queues for each channel, resulting in the 64,000 queues. Eachqueue created is actually a link of 1 Kbyte buffers. Each buffer holdseither a single packet or a partial packet but never data from twodifferent packets. Each of the eight queues in each channel is adynamically sized linked list. Each list can have 255 buffers of 1,024bytes. Additionally, there exists 128 MB of external SDRAM for packetstorage. The 128,000 buffers in this SDRAM are shared among the 8,192QoS channels.

The priority queues are mapped to both IETF DiffServ traffic classes aswell as ATM Forum traffic classes.

Layer 3 and 4 traffic classification, the actual determination of whichegress queue a packet should be sent to, is based on DiffServ Type ofService (TOS) field marking, classification based on IP header fields,metering and rate control, which all take place in the Virtual RoutingProcessor on the VRE. A representative queue configuration is shown inFIG. 7.

The goal of the WRED algorithm is to randomly distribute the discardingof packets after a pre-determined level of congestion has been reachedwithin the system. A discarded packet alerts the TCP layer thatcongestion is occurring in the system and that the sending side shouldback off its transmission of packets. Effective congestion control istime critical; in one embodiment, therefore, this function was placedcompletely in hardware. The alternative to WRED is known as “taildropping”, where significant numbers of packets are discarded at oncecausing the TCP layer to back off in waves, and thereby delivering poorbandwidth utilization.

For Line Interfaces/Network Modules 24 with fixed-sized queues, as apacket returns to an egress interface, it will be subject to the WREDdrop determination algorithm. Based on the information in the internalcontrol header, the queue number for the packet is determined. Theprobability of randomly dropping the packet is proportional to theaverage fill-level (fullness) of that queue and itssoftware-programmable parameters such as Minimum Threshold (Minth) andMaximum Threshold (Maxth). The parameters are unique per priority queueand per drop preference. (Drop preference is described below. Droppreference is a result of DiffServ TOS field-based traffic marking andmetering. There are three drop preferences: green, yellow and red. Redhas the highest drop preference).

The drop preferences offer three drop profiles (based on three droppreferences) for each priority queue. The Minth controls the onset ofthe random packet dropping. This means as the queue is filled withpackets, if the average fill level exceeds the Minth, random packetdropping is kicked in. The Maxth controls the onset of total packetdropping. This means that as the average queue level exceeds Maxth, allsubsequent packets will be dropped. By manipulating these twothresholds, the level of fullness in a queue is controlled. If the queueis completely filled, it will block further traffic from getting intothe queue.

If the packet is not dropped, it will be queued into one of the priorityqueues in a 2 MB of external shared memory SRAM, based on theinformation in the control header. The three highest priority queues areaddressed in order. These queues must be empty before traffic from thefourth priority group is addressed.

A two-priority WRR packet scheduler determines from which of the fivemedium to lower priority queues the next packet will be sent to theoutbound network. The weight for each of the five queues covers 16 Kband is in 8 byte units. Each weight is software programmable and can bechanged any time. The weight controls how many 8 byte units can bescheduled out of each queue. Once the weight is exhausted, the schedulerwill move on to serve the next queue. Sometimes the weight is exhaustedwhile the packet is still being scheduled. In this case, the remainingamount of 8 byte units will be recorded and deducted from the weight thenext time the queue is served again. This is to improve bandwidthcontrol for mixed-size packet traffic, such as TCP/IP.

It should be noted that all the data transfers in the various sub-blocks(such as WRED, WRR) are pipelined for wire speed.

For Line Interfaces/Network Modules 24 with variable-sized queues, theWRED parameters are uniquely defined on a per channel basis, not on aper queue basis. Instead of looking at the average fill level of thatqueue, these Line Interfaces/Network Modules 24 look at the averagenumber of consumed buffers of the given channel. When a linked listqueue in these Line Interfaces/Network Modules has consumed 255 buffers,tail dropping will occur. If the packet is not dropped, it will bequeued into one of the priority queues in a 128 MB of external SDRAMmemory based on the information in the control header. The three highestpriority queues are addressed in the same manner as mentioned above,except that the weighting of the Priority Group 4 is based on buffersrather than bytes.

For its POS and ATM interfaces, in one embodiment IPSG 20 provides 1+1APS, a physical failover mechanism within a Network Module 24. The1-port OC-12 POS Line Interface doesn't support APS failover mechanismbecause it is limited to only one port. On the other hand, the 2-port1+1 OC-12 POS Network Module does provide the APS capability; only oneport will be active at any one time with or without APS applied. Whenusing the 4-port OC-3 POS Line Interface or 4-port OC-3 ATM NetworkModule, all ports can be active simultaneously; if APS is activated inone pair of ports, the other two ports can be active resulting in threeactive ports in the Network Module 24. Software is responsible fordetecting the conditions (receipt of SONET Physical Layer protocol K1and K2 control bytes) that indicate a link failure.

For the ingress direction, the software programs Network Module 24circuits to direct ingress traffic from either the primary port or theprotect port across the Service Generator Fabric 22. For the egressdirection, the software programs the Network Module 24 circuits tomirror egress traffic onto both working and protect ports. The failovertime meets the Bellcore-GR-253 standard of 50 ms. 1+1 APS is optionalper port pair. For multi-port interfaces, each 1+1 APS port pair isindependent of the others.

Service Generator Fabric 22 is the heart of IPSG 20. It is a fullymeshed, 8-port shared memory switch that provides full-duplexcommunication between any pair of ports. The ports are non-blocking. Allsystem-wide packet traffic as well as control messages pass throughService Generator Fabric 22. Service Generator Fabric 22 treats controlmessages with a higher priority than packet traffic. The ServiceGenerator Fabric 22 employs a shared memory architecture with a totalaggregated throughput of 51.2 Gbps. Ports can be attached to VREs, VSEs,ASEs, the Line Interface/Network Module 24 and the Midplane Interface25.

The full-duplex communication link for each port pair runs at 3.2 Gbpsin each direction, using a time-division streaming data interfaceprotocol. In one embodiment, the time division allows the ServiceGenerator Fabric 22 to serve each of eight input and output port withequal 32 byte size time slots, in round robin fashion, all atOC-48/STM-16+ rates. Other priority schemes can be implemented asneeded.

In one embodiment, all the ports feeding data into and taking data outof the Service Generator Fabric 22 are store-and-forward to minimize theper packet transit time through the Service Generator Fabric 22.

When a packet is ready to be transferred from a Line Interface/NetworkModule 24 ingress to a destination VRE, it is streamed over to theService Generator Fabric 22 shared memory in 32 byte chunks atOC-48/STM-16+ rates. Service Generator Fabric 22 examines thedestination port's availability and then starts to stream the packetover to the destination port in 32 byte chunks at OC-48/STM-16+ rates.

At the same time, if a Service Generator Fabric port has a packetdestined for a Line Interface/Network Module egress, it will also bestreamed over to the Service Generator Fabric shared memory in 32 bytechunks at OC-48/STM-16+ rates. This time-shared cut-through protocolallows the shared memory to remain small (32 Kbytes).

Because the Service Generator Fabric is the single most traveled path byall packets, it has built in reliability. All port links are protectedby Cyclical Redundancy Checking (CRC). CRC is an error detectionmechanism that prevents bad packets from propagating beyond one passthrough Service Generator Fabric 22.

As noted above, in one embodiment, the basic computing resources in aVSE and a VRE consist of 600 MHz IBM PowerPC 750CX CPUs. These CPUsoffer advanced computing features such as two levels of internal cachesand instruction execution optimization 3. Each CPU delivers 1200 MIPS; afully populated IPSG 20 can offer as much as 10,800 MIPS, and a fullyloaded switch 10 can deliver 130,000 MIPS.

A powerful multi-processing CPU enables high-level software,applications and underlying computing processes to execute at thehighest possible speed. These CPUs can also work efficiently together inparallel to share computing data structures and workload.

In order to deliver a world-class services switching platform that movesand processes packets at high rates, in addition to executing softwareprograms and processes, the multiple CPUs on the VSE and VRE are coupledwith the Virtual Service Controller for accelerating virtual servicespacket processing and the Virtual Routing Processor for acceleratingvirtual routing functions. In one embodiment, the VSE and VRE can bethought of having a unified architecture (see FIG. 9). The VSE has onemore CPU than the VRE, while the VRE has the Virtual Routing Processorand its associated memory 31.

Packet movement in and out of memory has been shown to be a bottleneckin server-based routers because the SDRAM-based memory subsystem isdesigned for the needs of data transfer, not packet transfer. Packettransfer does not use memory bandwidth as efficiently as data transfer.Sixty-four byte packets with random arrival and departure can cut memoryefficiency by 40 percent or more. Moreover, in those routers, thepackets originate and end on add-on I/O cards that are subject to I/Obus bottleneck. The typical I/O bus is a PCI-66, which at its bestcannot support full OC-12/STM-4 rate.

In more conventional routers, e.g., Cisco routers, I/O bottleneck iseliminated but the CPU and memory subsystem performance is below that ofserver-based routers. These routers were not purpose-built to runservices like VPNs, firewall or anti-virus. Furthermore, both types ofrouters cannot support more than a dozen routing instances in one box.

In one embodiment, these issues have been addressed within the multi-CPUmemory subsystem by introducing advanced system memory and packettransfer control.

In one such embodiment, the packets in transit through the VSE or VREare stored in the 1 GB external main memory 36, much like a server-basedrouter. However, that is where the similarity ends. A server-basedconventional router fetches network I/O packet transfer controlinformation from software-controlled data structures in main memoryacross an I/O bus, typically a PCI bus. The same I/O bus is also usedfor packet transfer. In the IPSG 20 Virtual Service Controller 32,packet transfer control information is stored and managed at wire speedentirely in the local hardware. Software control of the data structuresuses a separate interface and does not compete with actual packettransfer for main memory bandwidth. This way, main memory bandwidth isoptimized for packet transfer.

The main memory bandwidth is still shared between data transfer (for CPUto run services) and packet transfer. The Virtual Service Controllerincludes a super high-performance (12.8 Gbps) memory controller.Innovative design technique using pipelined interface protocol andoptimized memory access arbitration make this high performance possible.Both data and packet transfers can take advantage of this highbandwidth.

In one embodiment, the virtual routing function within the virtualrouting processor 30 is micro-code based and supports a RISC-likeinstruction set. Packet classification and fast path packet forwardingare performed in hardware at wire speed, with the flexibility needed tostay current with the ever-evolving Internet standards. The CPUs areoffloaded to dedicate more resources to running applications andsoftware processes. The virtual routing function provides fast pathpacket forwarding for established flows. (In this embodiment, a flow isan ACL-level flow. An ACL is an ordered set of rules in a table thatassociates a group of packet header fields to the action that needs tobe performed on such packets with matching header fields. For TCP/IP,for example, the header fields include internal control ID, IP sourceand destination addresses, TCP/UDP source and destination port numbers,IP TOS field and Layer 3 protocol field.)

The virtual routing function adapts design techniques from superscalarcomputing architecture, where there are a number of identical executionunits in parallel, all executing the same program simultaneously but ondifferent packets. Each unit is furthered pipelined into stages to allowoverlapped packet processing. This is necessary to meet the gigabitwire-speed requirement for thousands of simultaneously active VRs.

A packet typically arrives from a Line Interface/Network Module 24through the Service Generator Fabric 22 into one of the packetclassifiers in the Virtual Routing Processor 30. In one embodiment, thepacket's flow index is identified by extracting various Layer 2-4 fieldsof the packet header such as IP TOS, protocol, source address,destination address fields, TCP/UDP source and destination port fields.The packet classifier executes micro-code instructions to extract bitand byte fields and even perform Boolean functions for this purpose. Inone embodiment, a hash function is applied to the contents of the fieldsto obtain an address into a flow cache storing a predetermined number offorward indexes.

Upon a match in the flow cache, a forward index is obtained to addressanother table that contains the blueprint for packet field manipulation,that is, packet processing. For example, the blueprint can specify theaction for firewall filtering, which is to drop the packet. Anotherexample is the act of routing, which includes substituting the Layer 2destination address with next hop value, decrementing Time-To-Live (TTL)and performing IP header checksum adjustment. A third example is NAT,which includes substituting original IP source and/or destinationaddress, TCP/UDP source and/or destination port values. A fourth exampleis DiffServ TOS field marking, flow metering and rate control. A fifthexample is to update packet statistics to support event logging. Yetanother example is GRE tunneling, which includes the encapsulation ofthe original packet header by another packet header.

The blueprint can also specify that the packet be processed, such as thecase of URL filtering or anti-virus scanning, which requires parsing ofpacket payload by a general CPU. Before a flow is set up by software,all packets arriving at the packet classifiers will be sent to softwarefor first time forwarding. Software running on the CPUs 34 sets uprouting tables and forwarding information bases as well as the packetprocessing action table entries associated with each established flow.Thereafter, all packets will be sent to the outbound network interfacewithout ever being touched by software, as long as the flows they belongto are cached in the flow cache. In one embodiment, VRE performance isat 3 Million packets per second (Mpps).

The routing processes described above are described in greater detail inU.S. Pat. No. 7,177,311, the descriptions of which are incorporatedherein by reference.

DiffServ QoS support in Virtual Routing Processor 30 includes TOS fieldupdate and rate control. Rate control includes packet rate metering,marking and dropping functions. Rate control comes in several flavors,which are not mutually exclusive: Ingress rate control based on the VI,rate control based on the flow to which the packet belongs, and egressrate control after the packet is routed and forwarded.

In one embodiment, rate metering and marking is implemented completelyin hardware for each flow. The hardware supports the concept of thecolor-blind and color-aware packet. In color-blind mode, the incomingpacket color is ignored, and any color can be added to the packet. Incolor-aware mode, the incoming packet color is taken into consideration.In this case, the incoming packet can be green, yellow or red. Greenpackets have the lowest probability of being dropped and will be droppedlast if necessary. If the incoming packet is green, the packet can staygreen or it can be downgraded to yellow or red; a packet can never beupgraded.

The two-rate three-color metering based on RFC 2698 marks its packetsgreen, yellow or red. A packet is marked red if it exceeds the PeakInformation Rate (PIR). Otherwise it is marked either yellow or greendepending on whether it exceeds or doesn't exceed the CommittedInformation Rate (CIR). It is useful, for example, for ingress policingof a service where a peak rate needs to be enforced separately from acommitted rate. The packet's color is encoded in the internal controlheader of the packet and will be interpreted by Flow Manager 26 forcongestion control purpose. The metering context is stored in mainmemory. The metering context contains status and state information, suchas number of bytes metered green, yellow and red, the PIR in bytes/timeslot, CIR in bytes/time slot, etc. This metering context is updatedevery time a packet is processed.

The QoS processes are described in U.S. Pat. No. 7,161,904, U.S. Pat.No. 7,116,665 and U.S. Pat. No. 7,177,311, the descriptions of which areincorporated herein by reference.

The Advanced Security Engine (AES) will be described next.

Creating, terminating and transporting IPSec tunnels is an integral partof IPSec-based VPNs, and encryption, decryption and authenticationprocesses are an integral part of any secure transaction. These are allnotoriously computation-intensive functions. The ASE consists of fourHi/fn 7851 encryption accelerators, a Hi/fn 6500 key accelerator and aSecurity Manager 38 (see FIG. 9). Security Manager 38 performs thefollowing functions: load balancing and managing security sessionsacross four Hi/fn 7851 encryption accelerators for wire speed throughputat 1+ Gbps, facilitating programming of registers for four Hi/fn 7851encryption accelerators and one Hi/fn 6500 key accelerator and providingsystem control header and security command message header translation.

The Hi/fn 7851 security processor features an embedded RISC CPU thatperforms all the packet header and trailer processing at 155 Mbps forback-to-back minimum size packets and at 622 Mbps for back-to-backmaximum size 1500 byte packets. For each Hi/fn 7851, a 64 MB SDRAM isused to store over 16,000 active security associations (with atheoretical maximum of 230,000). The Hi/fi 7851 processor provides thefollowing functions for IPSec: 3DES/RC4 encryption/decryption forpackets to/from access (subscriber) side, IPSec header (ESP/AH)encapsulation and parsing, SHA or MD-5 authentication service forpackets to/from access (subscriber) side, support for Public KeyInfrastructure (PKI) with RSA/Diffie-Hellman/DSA key algorithms and,optionally, LZS/MPPC-based compression/decompression for packets to/fromaccess (subscriber) side.

Packets that have been classified by the VRE arrive at the ASE for IPSectunnel creation or termination. Security Manager 38 decodes the securitysession ID for the packet. Then it strips off the system control headerand stores it in a SRAM. Security Manager 38 creates and prepends aHi/fn command message header to the original packet, directing it to thecorresponding Hi/fn 7851. The Hi/fn 7851 performs authentication andencryption or decryption services. In the case of encryption, encryptionis applied to the IP packet and an IPSec ESP/AH header is prepended toit. The EPSec header is pieced together from information contained inthe original packet control header as well as the Hi/fn results header.This ensures the QoS information in the original EP header is preserved.

At a given time, all four Hi/fn 7851s can be in various states ofprocessing of up to a total of four packets. The streaming bus isnon-blocking; that is, a smaller packet destined to one Hi/fn 7851 willnot be blocked behind a large packet to another Hi/fn 7851. This ensuresthat the ASE optimizes the aggregate throughput of all the Hi/fn 7851scombined.

The Midplane Interface 25 is where packets leave the IPSG to go toanother IPSG 20 or where packets arrive from another IPSG 20. In oneembodiment, Midplane Interface 25 is a 22 Gbps dual counter-rotatingring structure that is redundant, high performance and deterministic inthe transmission of packets. The Midplane Interface includes a FlowManager 26 with the same queuing and congestion control featuresdiscussed in connection with Line Interface/Network Module 24 above.

The IPNOS discussed above has an architectural structure that dovetailsperfectly with the IPSG architecture. IPSG 20 has been designed todeliver tailored hardware processing resources to address specific IPservices, and IPNOS provides the framework to take advantage of thosehardware capabilities. IPNOS is a distributed, object-oriented,multi-processor operating system designed to be scalable by dynamicallyallocating service elements to the best available resources. All IPservices, networks and even physical resources (e.g., processors andaccess circuits) are managed as objects or groups of objects by IPNOS.

As a service processing OS, IPNOS builds a foundation for customizedsubscriber-level IP services through the VR concept. IPNOS creates a VRas an object group and has the capacity to create tens of thousands ofobject groups. As the name implies, an object group is a group ofindependent objects (of the same or different types). A single objectgroup can contain tens of objects. There are a number of different typesof objects in IPNOS: device driver object, link layer object, TCP/IPobject, application object, etc.

The object model that IPNOS employs conforms roughly to the standard OSImodel for networks (see FIG. 10). As in a true object model, objectsthemselves are comprised of data definitions and various methods. Withcareful data design, objects enable efficient distributed processing byallowing a larger entity to be split into smaller pieces. Objectsexecute or .invoke. methods to react to events such as the arrival ofdata packets. Objects can invoke either their own methods or remotemethods residing in other objects. If a recipient object does not yetexist, the requesting object informs the Object Manager, whichinstantiates the new required object. In this way, objects interact witheach other to accomplish larger processing tasks.

One of the pieces of data for each object is the type of processingresource it needs to execute. Thus, when the Object Manager is asked toinstantiate a new object, it knows what kind of resource it needs andcan draw from the available pool of those tailored resources instead ofleveraging only generally available CPUs. For example, when an IPSectunnel needs to be created, the object group (a VR) requests a new IPSecobject to be created on an available ASE. This ability to dynamicallydistribute processing to tailored resources allows IPNOS to optimize allthe processing power designed into the system. In addition, it enablessome of the parallelism for packet processing that gives IPSG 20 itsability to operate at wire speed.

This process is described in greater detail in U.S. Pat. No. 7,340,535,described above, the description of which is incorporated herein byreference.

A step-by-step description of a representative packet flow through IPSG20 will be described next. The illustration in FIG. 11 shows thecomplete journey of a minimum size frame through an IPSG 20. CustomerVLAN-based traffic gets tunneled through a Sub VR EPSec tunnel in VRE-1and then routed to an SP EP core though an SP VR in VRE-2.

1. An 802.1q VLAN Ethernet packet arrives at a Gigabit Ethernet inputport on the Line Interface/Network Module 24. The Flow Manager 26programs the steering table look-up and decides which VLAN goes to whichVRE. Flow Manager 26 tags the packet with an internal control header andtransfers it from the Line Interface/Network Module 24 across theService Generator Fabric 22 to the selected VRE.

2. Upon arrival at the VRE, the packet enters the Virtual ServiceController 32 for deep packet classification. Based on the instructionsin the Virtual Service Controller's micro-code, various fields of thepacket header, i.e., IP source and destination addresses, UDP/TCP sourceand destination port numbers, IP protocol field, TOS field, IPSec headerand SPI field are extracted. An ACL flow associated with the packet isidentified. A flow cache is consulted to find out whether the packetshould be forwarded in software or hardware. (In this scenario, thepacket is to be processed in hardware and an index to the packetprocessing action cache is obtained.) The ingress VI metering andstatistics are registered as part of the ingress flow processing.

3. The packet is deposited via high-speed Direct Memory Access (DMA)into the VRE's main memory and then becomes accessible to the VirtualRouting Processor 30.

4. Virtual Routing Processor 30 retrieves the packet, identifies thepacket processing actions that can be achieved in hardware and thenperforms those actions, such as time-to-live decrement, IP headerchecksum adjustment and IP forwarding patch matching. The egressstatistics counters are updated.

5. The packet is forwarded to the ASE.

6. In the ASE, the packet gets encrypted and time-to-live isdecremented. The ASE performs encryption and prepends an IPSec tunnelheader.

7. The IPSec tunneled packet is handed back to the Sub VR in the VRE,which decides where to forward the packet (in this case, to the SP VR inVRE-2).

8. As the packet leaves the VRE-1 for the SP VR in VRE-2, the followingare processed: a. Egress VI statistics, b. VI metering and marking, c.VI maximum transmit unit enforcement, and d. Packet fragmentation (ifnecessary).

9. The packet arrives at the SP VR in VRE-2. It goes to the hardware FIBlookup, gets forwarded through the SP VR interface toward the SP core.At the egress, VI statistics and metering are performed.

10. The egress Flow Manager 26 applies priority queuing based onDiffServ marking and transmits the packet out of IPSG 20.

CONCLUSION

Systems and method for providing IP services have been described. Thesystems and methods described provide advantages over previous systems.

Although specific embodiments have been illustrated and describedherein, it will be appreciated by those of ordinary skill in the artthat any arrangement which is calculated to achieve the same purpose maybe substituted for the specific embodiments shown. This application isintended to cover any adaptations or variations of the presentinvention.

The terminology used in this application is meant to include all ofthese environments. It is to be understood that the above description isintended to be illustrative, and not restrictive. Many other embodimentswill be apparent to those of skill in the art upon reviewing the abovedescription. Therefore, it is manifestly intended that this invention belimited only by the following claims and equivalents thereof.

1. A system for providing Internet Protocol (IP) services, comprising: aswitch fabric; a line interface/network module coupled to the switchfabric; a plurality of virtual routing engines (VREs) coupled to theswitch fabric; and a virtual services engine (VSE), coupled to theswitch fabric, including at least one central processing unit configuredto perform firewall processing, Uniform Resource Locator (URL) filteringand anti-virus processing; wherein the line interface/network modulereceives packets and steers ingress packets across the switch fabric toa selected VRE of the plurality of VREs and transmits egress packetsaccording to their relative priority; wherein the line interface/networkmodule includes an egress forwarding manager which applies priorityqueuing to the egress packets based on DiffServ marking and transmitsthe egress packets out of the line interface/network module; wherein theselected VRE determines if a packet associated with a packet flowrequires processing by the VSE by performing flow-based packetclassification on the packet and evaluating forwarding state informationassociated with previously stored flow learning results based on apreviously received packet of the packet flow; and if the packet isdetermined to require processing by the VSE, then steering the packetacross the switch fabric to the VSE for one or more of the firewallprocessing, the URL filtering and the anti-virus processing.
 2. Thesystem of claim 1, further comprising a second VSE.
 3. The system ofclaim 2, wherein the second VSE comprises an advanced security engine(ASE).
 4. The system of claim 3, wherein the ASE comprises a pluralityof encryption accelerators, a key accelerator and a security managerconfigured to load balance and manage security sessions across theplurality of encryption accelerators.
 5. The system of claim 1, whereinthe line interface/network module includes an ingress forwarding managerwhich maintains a steering table mapping virtual local area networks toone or more VREs of the plurality of VREs.
 6. A method for providingInternet Protocol (IP) services comprising: providing within a flowmanager of a switch a steering table mapping a plurality of virtuallocal area networks (VLANs) to one or more of a plurality of virtualrouting engines (VREs) of the switch; receiving a packet associated witha VLAN of the plurality of VLANs at a line interface/network module of aplurality of line interface/network modules of the switch; the flowmanager steering the packet across a fabric of the switch to a VRE ofthe plurality of VREs based on a result of a steering table lookup ofthe VLAN in the steering table; the VRE identifying a packet flow withwhich the packet is associated by performing deep packet classification;the VRE determining if the packet requires processing by a virtualservices engine (VSE) of a plurality of VSEs of the switch by consultinga flow cache, the VSE including at least one central processing unitconfigured to perform firewall processing, Uniform Resource Locator(URL) filtering and anti-virus processing; if the packet requiresprocessing by the VSE, transferring the packet across the fabric to theVSE for processing; if the packet is not dropped or otherwise blocked asa result of one or more of the firewall processing, the URL filteringand the anti-virus processing, the VSE transferring the processed packetback to the VRE for forwarding; applying, by an egress forwardingmanager of the line interface/network manger, priority queuing to egresspackets based on DiffServ marking; and transmitting, by the egressforwarding manager, the egress packets out of the line/interface/networkmodule.
 7. A system for providing Internet Protocol (IP) services,comprising: a fabric; a line interface/network module coupled to thefabric; a plurality of virtual routing engines (VREs) coupled to thefabric; and a virtual services engine (VSE), coupled to the switchfabric, including at least one central processing unit configured toperform firewall processing, Uniform Resource Locator (URL) filteringand anti-virus processing; an advanced security engine (ASE) coupled tothe fabric; wherein the line interface/network module receives packetsand steers the packets to a selected VRE of the plurality of VREs basedon a result of a steering table lookup; wherein the lineinterface/network module includes an egress forwarding manager whichapplies priority queuing to egress packets based on DiffServ marking andtransmits the egress packets out of the line interface/network module;wherein the selected VRE determines if a packet associated with a packetflow requires processing by the one or both of the VSE and the ASE byperforming flow-based packet classification on the packet and evaluatingforwarding state information associated with previously stored flowlearning results based on a previously received packet of the packetflow; if the packet has been determined to require processing by theVSE, then steering the packet to the VSE for one or more of the firewallprocessing, the URL filtering and the anti-virus processing; and if thepacket is not dropped or otherwise blocked as a result of one or more ofthe firewall processing, the URL filtering and the anti-virus processingand the packet has been determined to require processing by the ASE,then the VSE steering the processed packet to the ASE for processing. 8.The system of claim 7, wherein the ASE comprises a plurality ofencryption accelerators, a key accelerator and a security managerconfigured to load balance and manage security sessions across theplurality of encryption accelerators.
 9. The system of claim 7, whereinthe line interface/network module includes an ingress forwarding managerwhich maintains a steering table mapping virtual local area networks toone or more VREs of the plurality of VREs.
 10. The method of claim 6,wherein the switch further comprises an advanced security engine (ASE),including a plurality of encryption accelerators, a key accelerator anda security manager, the method further comprising load balancing andmanaging security sessions, by the security manager, across theplurality of encryption accelerators.
 11. The method of claim 6, whereinthe line interface/network module includes an ingress forwardingmanager, the method further comprising maintaining, by the ingressforwarding manager, a steering table that maps virtual local areanetworks to one or more VREs of the plurality of VREs.